Operating systems and programming languages supported by Amazon Inspector
Amazon Inspector can scan software applications installed on Amazon Elastic Compute Cloud (Amazon EC2) instances, container images stored in Amazon Elastic Container Registry (Amazon ECR) repositories, and AWS Lambda functions. For ECR container images, Amazon Inspector can scan for both operating system and programming language package vulnerabilities. For Lambda functions, Amazon Inspector can scan for code vulnerabilities. When Amazon Inspector scans resources, it uses its own purpose-built scanning engine and it sources more than 50 data feeds to generate findings for Common Vulnerabilities and Exposures (CVEs). Sources include vendor security advisories, NVD, MITRE, open-source feeds, internal research, and licensed data feeds.
For Amazon Inspector to scan a resource, the resource must be running a supported operating system or use a supported programming language. The topics in this section list the operating systems, runtimes, and programming languages that Amazon Inspector currently supports for different resources and scan types. They also list operating systems that Amazon Inspector previously supported, but have since been discontinued by vendors. Amazon Inspector can provide only limited support for an operating system after a vendor discontinues support for the operating system.
Topics
- Supported operating systems: Amazon EC2 scanning
- Supported programming languages: Amazon EC2 deep inspection
- Supported operating systems: CIS scanning
- Supported operating systems: Amazon ECR scanning with Amazon Inspector
- Supported programming languages: Amazon ECR scanning
- Supported runtimes: Amazon Inspector Lambda standard scanning
- Supported runtimes: Amazon Inspector Lambda code scanning
- Discontinued operating systems
Supported operating systems: Amazon EC2 scanning
The following table lists the operating systems that Amazon Inspector supports for the scanning of Amazon EC2 instances. It lists the source of the vendor security advisories for each operating system. It also helps you determine whether any of the supported operating systems can be scanned using agent-based scanning or agentless scanning.
When using the agent-based scanning method, you configure the SSM agent to perform continuous scans on all eligible instances. Amazon Inspector recommends that you configure a version of the SSM agent that's greater than 3.2.2086.0. For more information, see Working with the SSM Agent in the Amazon EC2 Systems Manager User Guide.
Note
Linux operating system detections are supported only for the default package manager repository (rpm and dpkg) and don't include third-party applications, extended support repositories (BYOS RHEL, PAYG RHEL, and RHEL for SAP), and optional repositories (Red Hat Application Streams).
Operating system | Version | Vendor security advisories | Agentless scan support | Agent-based scan support |
---|---|---|---|---|
AlmaLinux | 8 | ALSA | Yes | Yes |
AlmaLinux | 9 | ALSA | Yes | Yes |
Amazon Linux (AL2) | AL2 | ALAS | Yes | Yes |
Amazon Linux 2023 (AL2023) | AL2023 | ALAS | Yes | Yes |
Bottlerocket | 1.7.0 and later | GHSA, CVE | No | Yes |
CentOS Linux (CentOS) | 7 | CESA | Yes | Yes |
Debian Server (Buster) | 10 | DSA | Yes | Yes |
Debian Server (Bullseye) | 11 | DSA | Yes | Yes |
Debian Server (Bookworm) | 12 | DSA | Yes | Yes |
Fedora | 38 | CVE | Yes | Yes |
Fedora | 39 | CVE | Yes | Yes |
OpenSUSE Leap | 15.5 | CVE | Yes | Yes |
Oracle Linux (Oracle) | 7 | ELSA | Yes | Yes |
Oracle Linux (Oracle) | 8 | ELSA | Yes | Yes |
Oracle Linux (Oracle) | 9 | ELSA | Yes | Yes |
Red Hat Enterprise Linux (RHEL) | 7 | RHSA | Yes | Yes |
Red Hat Enterprise Linux (RHEL) | 8 | RHSA | Yes | Yes |
Red Hat Enterprise Linux (RHEL) | 9 | RHSA | Yes | Yes |
Rocky Linux | 8 | RLSA | Yes | Yes |
Rocky Linux | 9 | RLSA | Yes | Yes |
SUSE Linux Enterprise Server (SLES) | 12.5 | SUSE CVE | Yes | Yes |
SUSE Linux Enterprise Server (SLES) | 15.5 | SUSE CVE | Yes | Yes |
Ubuntu (Xenial) | 16.04 (ESM) | USN, Ubuntu Pro | Yes | Yes |
Ubuntu (Bionic) | 18.04 (ESM) | USN, Ubuntu Pro | Yes | Yes |
Ubuntu (Focal) | 20.04 (LTS) | USN | Yes | Yes |
Ubuntu (Jammy) | 22.04 (LTS) | USN | Yes | Yes |
Ubuntu (Mantic Minotaur) | 23.10 | USN | Yes | Yes |
Windows Server | 2016 | MSKB | No | Yes |
Windows Server | 2019 | MSKB | No | Yes |
Windows Server | 2022 | MSKB | No | Yes |
macOS (Mojave) | 10.14 | APPLE-SA | No | Yes |
macOS (Catalina) | 10.15 | APPLE-SA | No | Yes |
macOS (Big Sur) | 11 | APPLE-SA | No | Yes |
macOS (Monterey) | 12 | APPLE-SA | No | Yes |
macOS (Ventura) | 13 | APPLE-SA | No | Yes |
Supported programming languages: Amazon EC2 deep inspection
Amazon Inspector currently supports the following programming languages when scanning Amazon EC2 Linux instances for vulnerabilities in third-party software packages:
-
Java
-
JavaScript
-
Python
Amazon Inspector uses Systems Manager Distributor to deploy the plugin used for deep inspection in your Amazon EC2 instance. Systems Manager Distributor supports the operating systems listed as Supported package platforms and architectures in the Systems Manager guide. Your Amazon EC2 instance's operating system must be supported by Systems Manager Distributor and Amazon Inspector for Amazon Inspector to perform deep inspection scans.
Note
Deep inspection is not supported for Bottlerocket operating systems.
Supported operating systems: CIS scanning
The following table lists the operating systems that Amazon Inspector currently supports for CIS scans. It also lists the CIS benchmark version that's used to perform scans of that operating system.
Operating system | Version | CIS benchmark version |
---|---|---|
Amazon Linux 2 | AL2 | 2.0.0 |
Amazon Linux 2023 | AL2023 | 1.0.0 |
Red Hat Enterprise Linux (RHEL) | 8 | 3.0.0 |
Red Hat Enterprise Linux (RHEL) | 9 | 1.0.0 |
Rocky Linux | 8 | 2.0.0 |
Rocky Linux | 9 | 1.0.0 |
Ubuntu (Bonic) | 18.04 (LTS) | 2.1.0 |
Ubuntu (Focal) | 20.04 (LTS) | 2.0.1 |
Ubuntu (Jammy) | 20.04 (LTS) | 1.0.0 |
Windows Server | 2019 | 2.0.0 |
Windows Server | 2022 | 2.0.0 |
Supported operating systems: Amazon ECR scanning with Amazon Inspector
Amazon Inspector currently supports scanning the following operating systems when scanning container images in Amazon ECR repositories:. The table also lists the source of the vendor security advisories for each operating system.
Operating system | Version | Vendor security advisories |
---|---|---|
Alpine Linux (Alpine) | 3.16 | Alpine SecDB |
Alpine Linux (Alpine) | 3.17 | Alpine SecDB |
Alpine Linux (Alpine) | 3.18 | Alpine SecDB |
Alpine Linux (Alpine) | 3.19 | Alpine SecDB |
AlmaLinux | 8 | ALSA |
AlmaLinux | 9 | ALSA |
Amazon Linux (AL2) | AL2 | ALAS |
Amazon Linux 2023 (AL2023) | AL2023 | ALAS |
CentOS Linux (CentOS) | 7 | CESA |
Debian Server (Buster) | 10 | DSA |
Debian Server (Bullseye) | 11 | DSA |
Debian Server (Bookworm) | 12 | DSA |
Fedora | 38 | CVE |
Fedora | 39 | CVE |
OpenSUSE Leap | 15.5 | CVE |
Oracle Linux (Oracle) | 7 | ELSA |
Oracle Linux (Oracle) | 8 | ELSA |
Oracle Linux (Oracle) | 9 | ELSA |
Photon OS | 4 | PHSA |
Photon OS | 5 | PHSA |
Red Hat Enterprise Linux (RHEL) | 7 | RHSA |
Red Hat Enterprise Linux (RHEL) | 8 | RHSA |
Red Hat Enterprise Linux (RHEL) | 9 | RHSA |
Rocky Linux | 8 | RLSA |
Rocky Linux | 9 | RLSA |
SUSE Linux Enterprise Server (SLES) | 12.5 | SUSE CVE |
SUSE Linux Enterprise Server (SLES) | 15.5 | SUSE CVE |
Ubuntu (Xenial) | 16.04 (ESM) | USN, Ubuntu Pro |
Ubuntu (Bionic) | 18.04 (ESM) | USN, Ubuntu Pro |
Ubuntu (Focal) | 20.04 (LTS) | USN |
Ubuntu (Jammy) | 22.04 (LTS) | USN |
Ubuntu (Mantic Minotaur) | 23.10 | USN |
Supported programming languages: Amazon ECR scanning
Amazon Inspector currently supports the following programming languages when scanning container images in Amazon ECR repositories:
-
C#
-
Go
-
Java
-
JavaScript
-
PHP
-
Python
-
Ruby
-
Rust
Supported runtimes: Amazon Inspector Lambda standard scanning
Amazon Inspector Lambda standard scanning currently supports the following programming languages when scanning Lambda functions for vulnerabilities in third-party software packages:
-
Java
-
java8
-
java8.al2
-
java11
-
java17
-
-
Node.js
-
nodejs12.x
-
nodejs14.x
-
nodejs16.x
-
nodejs18.x
-
nodejs20.x
-
-
Python
-
python3.7
-
python3.8
-
python3.9
-
python3.10
-
python3.11
-
-
Go
-
go1.x
-
-
Ruby
-
ruby2.7
-
ruby3.2
-
-
.NET
-
.NET 6
-
Supported runtimes: Amazon Inspector Lambda code scanning
Amazon Inspector Lambda code scanning currently supports the following programming languages when scanning Lambda functions for vulnerabilities in code:
-
Java
-
java8
-
java8.al2
-
java11
-
java17
-
-
Node.js
-
nodejs12.x
-
nodejs14.x
-
nodejs16.x
-
nodejs18.x
-
nodejs20.x
-
-
Python
-
python3.7
-
python3.8
-
python3.9
-
python3.10
-
python3.11
-
-
Ruby
-
ruby2.7
-
ruby3.2
-
-
.NET
-
.NET 6
-
Discontinued operating systems
Standard vendor support for the operating systems listed in the following tables has been discontinued by the vendor. In the tables, the Discontinued column indicates when the vendor discontinued standard support for an operating system.
Amazon Inspector previously provided full support for these operating systems and will continue to scan Amazon EC2 instances and Amazon ECR container images that are running them. However, in accordance with vendor policy, the operating systems are no longer updated with patches and, in many cases, new security advisories are no longer released for them. In addition, some vendors remove existing security advisories and detections from their feeds when an affected operating system reaches the end of standard support. Consequently, Amazon Inspector might stop generating findings for known CVEs. Any findings that Amazon Inspector does generate for a discontinued operating system should be used for informational purposes only.
As a security best practice and for continued Amazon Inspector coverage, we encourage you to move to a current, supported version of an operating system.
Discontinued operating systems: Amazon EC2 scanning
Operating system | Version | Discontinued |
---|---|---|
Amazon Linux (AL1) | 2012 | December 31, 2021 |
CentOS Linux (CentOS) | 8 | December 31, 2021 |
Debian Server (Stretch) | 9 | June 30, 2022 |
Fedora | 35 | December 13, 2022 |
Fedora | 36 | May 16, 2023 |
Fedora | 37 | December 15, 2023 |
OpenSUSE Leap | 15.2 | December 1, 2021 |
OpenSUSE Leap | 15.3 | December 1, 2022 |
OpenSUSE Leap | 15.4 | December 7, 2023 |
Oracle Linux (Oracle) | 6 | March 1, 2021 |
SUSE Linux Enterprise Server (SLES) | 12 | June 30, 2016 |
SUSE Linux Enterprise Server (SLES) | 12.1 | May 31, 2017 |
SUSE Linux Enterprise Server (SLES) | 12.2 | March 31, 2018 |
SUSE Linux Enterprise Server (SLES) | 12.3 | June 30, 2019 |
SUSE Linux Enterprise Server (SLES) | 12.4 | June 30, 2020 |
SUSE Linux Enterprise Server (SLES) | 15 | December 31, 2019 |
SUSE Linux Enterprise Server (SLES) | 15.1 | January 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.2 | December 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.3 | December 31, 2022 |
SUSE Linux Enterprise Server (SLES) | 15.4 | December 31, 2023 |
Ubuntu (Trusty) | 14.04 (ESM) | April 1, 2024 |
Ubuntu (Groovy) | 20.10 | July 22, 2021 |
Ubuntu (Hirsute) | 21.04 | January 20, 2022 |
Ubuntu (Impish) | 21.10 | July 31, 2022 |
Ubuntu (Kinetic) | 22.10 | July 20, 2023 |
Ubuntu (Lunar Lobster) | 23.04 | January 25, 2024 |
Windows Server | 2012 | October 10, 2023 |
Windows Server | 2012 R2 | October 10, 2023 |
Discontinued operating systems: Amazon ECR scanning
Operating system | Version | Discontinued |
---|---|---|
Alpine Linux (Alpine) | 3.12 | May 1, 2022 |
Alpine Linux (Alpine) | 3.13 | November 1, 2022 |
Alpine Linux (Alpine) | 3.14 | May 1, 2023 |
Alpine Linux (Alpine) | 3.15 | November 1, 2023 |
Amazon Linux (AL1) | 2012 | December 31, 2021 |
CentOS Linux (CentOS) | 8 | December 31, 2021 |
Debian Server (Stretch) | 9 | June 30, 2022 |
Fedora | 35 | December 13, 2022 |
Fedora | 36 | May 16, 2023 |
Fedora | 37 | December 15, 2023 |
OpenSUSE Leap | 15.2 | December 1, 2021 |
OpenSUSE Leap | 15.3 | December 1, 2022 |
OpenSUSE Leap | 15.4 | December 7, 2023 |
Oracle Linux (Oracle) | 6 | March 1, 2021 |
Photon OS | 3 | March 1, 2024 |
SUSE Linux Enterprise Server (SLES) | 12 | June 30, 2016 |
SUSE Linux Enterprise Server (SLES) | 12.1 | May 31, 2017 |
SUSE Linux Enterprise Server (SLES) | 12.2 | March 31, 2018 |
SUSE Linux Enterprise Server (SLES) | 12.3 | June 30, 2019 |
SUSE Linux Enterprise Server (SLES) | 12.4 | June 30, 2020 |
SUSE Linux Enterprise Server (SLES) | 15 | December 31, 2019 |
SUSE Linux Enterprise Server (SLES) | 15.1 | January 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.2 | December 31, 2021 |
SUSE Linux Enterprise Server (SLES) | 15.3 | December 31, 2022 |
SUSE Linux Enterprise Server (SLES) | 15.4 | December 31, 2023 |
Ubuntu (Trusty) | 14.04 (ESM) | April 1, 2024 |
Ubuntu (Groovy) | 20.10 | July 22, 2021 |
Ubuntu (Hirsute) | 21.04 | January 20, 2022 |
Ubuntu (Impish) | 21.10 | July 31, 2022 |
Ubuntu (Kinetic) | 22.10 | July 20, 2023 |
Ubuntu (Lunar Lobster) | 23.04 | January 25, 2024 |